From d659fe8666c4bc38fcbdbe7b7a35101f2d7cc41b Mon Sep 17 00:00:00 2001
From: John Kehayias <john@guixotic.coop>
Date: Sun, 15 Feb 2026 23:35:20 -0500
Subject: gnu: glibc: Graft with fix for unsafe env variable [security-fixes].

Before this change, the environment variable GUIX_LOCPATH is not in the unsafe
variable list, meaning that it is not unset in a privileged environment.  This
could lead to potential security issues.  A CVE number is pending for this
issue.  A similar upstream glibc issue was CVE-2023-4911.

* gnu/packages/base.scm (glibc)[replacement]: Add field to graft with ...
(glibc/fixed): ... this new package.
* gnu/packages/patches/glibc-guix-locpath.patch: New file.
* gnu/local.mk (dist_patch_DATA): Register it.

Change-Id: I74d87ce543bfba7d5f424efb2b87926ca336c725
Reported-by: "Stefan" <stefan-guix@vodafonemail.de>
---
 gnu/packages/base.scm | 14 +++++++++++++-
 1 file changed, 13 insertions(+), 1 deletion(-)

(limited to 'gnu/packages/base.scm')

diff --git a/gnu/packages/base.scm b/gnu/packages/base.scm
index 81913168c16..31ad20e2ee9 100644
--- a/gnu/packages/base.scm
+++ b/gnu/packages/base.scm
@@ -21,7 +21,7 @@
 ;;; Copyright © 2021 Guillaume Le Vaillant <glv@posteo.net>
 ;;; Copyright © 2021, 2024 Maxim Cournoyer <maxim@guixotic.coop>
 ;;; Copyright © 2022 zamfofex <zamfofex@twdb.moe>
-;;; Copyright © 2022 John Kehayias <john.kehayias@protonmail.com>
+;;; Copyright © 2022, 2026 John Kehayias <john@guixotic.coop>
 ;;; Copyright © 2023 Josselin Poiret <dev@jpoiret.xyz>
 ;;; Copyright © 2024, 2025 Zheng Junjie <z572@z572.online>
 ;;;
@@ -957,6 +957,7 @@ the store.")
    (properties `((lint-hidden-cve . ("CVE-2024-2961"
                                      "CVE-2024-33601" "CVE-2024-33602"
                                      "CVE-2024-33600" "CVE-2024-33599"))))
+   (replacement glibc/fixed)
    (build-system gnu-build-system)
 
    ;; Glibc's <limits.h> refers to <linux/limit.h>, for instance, so glibc
@@ -1234,6 +1235,17 @@ with the Linux kernel.")
    (license lgpl2.0+)
    (home-page "https://www.gnu.org/software/libc/")))
 
+(define glibc/fixed
+  (package
+    (inherit glibc)
+    (name "glibc")
+    (source (origin
+              (inherit (package-source glibc))
+              ;; XXX: When ungrafting, add the included patch to
+              ;; %glibc-patches.
+              (patches (cons (search-patch "glibc-guix-locpath.patch")
+                             (origin-patches (package-source glibc))))))))
+
 ;; Define a variation of glibc which uses the default /etc/ld.so.cache, useful
 ;; in FHS containers.
 (define-public glibc-for-fhs
-- 
cgit v1.3